Redactable Blockchain - or - Rewriting History in Bitcoin and Friends

EuroS&P, pp. 111-126, 2017.

Cited by: 18|Views55
EI
Weibo:
We have presented a framework to redact and compress the content of blocks in virtually any blockchain based technology

Abstract:

We put forward a new framework that makes it possible to re-write or compress content of any number of blocks in decentralized services exploiting blockchain technology. As we argue, there are several reasons to prefer an editable blockchain, spanning from necessity to remove inappropriate content and possibility to support applicatio...More

Code:

Data:

Introduction
  • The main security property satisfied by a secret/public-coin chameleon hash function is that of collision resistance: No PPT algorithm, given the public hash key hk , can find two pairs (m, ξ) and (m , ξ ) that are valid under hk and such that m = m , with all but a negligible probability.
  • Note that each time a block is redacted using Algorithm 1, a collision for the underlying chameleon hash function is exposed.
Highlights
  • Who can make redactions? We show how to make redactions given the knowledge of a secret key
  • We present concrete protocols for securely realizing the ideal functionalities described in the previous section
  • We focus here on a specific construction relying on the Decisional Diffie-Hellman assumption and on the Sigma-protocol due to Schnorr [Sch91]; similar constructions can be obtained based on the RSA assumption, on Quadratic Residuosity, and on Factoring, using the Sigma protocols due to Guillou-Quisquater [GQ88], Fiat-Shamir [FS86], Ong-Schnorr [OS90], Okamoto [Oka92], and Fischlin and Fischlin [FF02]
  • We have presented a framework to redact and compress the content of blocks in virtually any blockchain based technology
  • There are several reasons why one could prefer a redactable blockchain to an immutable one
Results
  • In Section 4 the authors explain how to generically leverage any standard collision-resistant chameleon hash function into one meeting such a key-exposure freeness requirement.
  • Algorithm 1: Chain Redact input : The input chain C of length n, a set of block indices I ⊆ [n], a set of values {xi}i∈I, and the chameleon hash trapdoor key tk .
  • Following the common practice in the setting of MPC, the authors define two ideal functionalities that aim at capturing the security requirements for generating the hash keys and for redacting the blockchain in the decentralized setting.
  • When the system is set-up for the first time, the authors need to run the key generation algorithm HGen for the underlying chameleon hash function, obtaining a public hash key hk and a secret trapdoor key tk .
  • The authors view the technical tools that make redactions possible as the main contribution of this work, a natural question that may arise is how the trapdoor key for the chameleon hash function is managed.
  • The authors start by formally defining collision resistance of public/secret coin chameleon hash functions, in Section 4.1.
  • That secret-coin chameleon hash functions can be used for the very same applications as public-coin ones, in particular for constructing chameleon signatures [KR00] and online/offline signatures [EGM96, ST01, BCR+13];the only difference is that one needs to store the check value ξ in order to verify a hash value, and the hash verification does not in general consist of re-computing the hash.
  • Let CH = (HGen, Hash, HCol) be a public-coin chameleon hash function, let PKE = (KGen, Enc, Dec) be a PKE scheme, and let N IA = (I, P, V) be a non-interactive argument system for the language
Conclusion
  • Assume that CH is a public-coin collision-resistant chameleon hash function, that PKE is a CPA-secure PKE scheme, and that N IA is an f -tSE-NIZK for the language of Eq (1), where for any witness (r, ρ) the authors define f (r, ρ) = r.
  • As the experiments showed, the overhead imposed by having a mutable blockchain is negligible
Summary
  • The main security property satisfied by a secret/public-coin chameleon hash function is that of collision resistance: No PPT algorithm, given the public hash key hk , can find two pairs (m, ξ) and (m , ξ ) that are valid under hk and such that m = m , with all but a negligible probability.
  • Note that each time a block is redacted using Algorithm 1, a collision for the underlying chameleon hash function is exposed.
  • In Section 4 the authors explain how to generically leverage any standard collision-resistant chameleon hash function into one meeting such a key-exposure freeness requirement.
  • Algorithm 1: Chain Redact input : The input chain C of length n, a set of block indices I ⊆ [n], a set of values {xi}i∈I, and the chameleon hash trapdoor key tk .
  • Following the common practice in the setting of MPC, the authors define two ideal functionalities that aim at capturing the security requirements for generating the hash keys and for redacting the blockchain in the decentralized setting.
  • When the system is set-up for the first time, the authors need to run the key generation algorithm HGen for the underlying chameleon hash function, obtaining a public hash key hk and a secret trapdoor key tk .
  • The authors view the technical tools that make redactions possible as the main contribution of this work, a natural question that may arise is how the trapdoor key for the chameleon hash function is managed.
  • The authors start by formally defining collision resistance of public/secret coin chameleon hash functions, in Section 4.1.
  • That secret-coin chameleon hash functions can be used for the very same applications as public-coin ones, in particular for constructing chameleon signatures [KR00] and online/offline signatures [EGM96, ST01, BCR+13];the only difference is that one needs to store the check value ξ in order to verify a hash value, and the hash verification does not in general consist of re-computing the hash.
  • Let CH = (HGen, Hash, HCol) be a public-coin chameleon hash function, let PKE = (KGen, Enc, Dec) be a PKE scheme, and let N IA = (I, P, V) be a non-interactive argument system for the language
  • Assume that CH is a public-coin collision-resistant chameleon hash function, that PKE is a CPA-secure PKE scheme, and that N IA is an f -tSE-NIZK for the language of Eq (1), where for any witness (r, ρ) the authors define f (r, ρ) = r.
  • As the experiments showed, the overhead imposed by having a mutable blockchain is negligible
Tables
  • Table1: The Redactable Bitcoin block header
Download tables as Excel
Related work
  • Several papers have analyzed the properties and extended the features of the Bitcoin protocol (see, e.g., [ADMM14b, AFMdM14, ADMM15, PS15]). Bitcoin has also found several innovative applications far beyond its initial scope, e.g., to achieve fairness in secure multi-party computation [ADMM14c, ADMM14a, BK14], to build smart contracts [KMS+15, BDM16], to distributed cryptography [AD15], and more [KMB15, KT15, RKS15]. Blockchain based technologies, and the properties they achieve, were also studied in recent work, both for the synchronous [GKL15] and asynchronous [PSas16] network model.

    s = H(ctr, G(s, x; r)) HashPrev (s) Transactions (x) Nonce (ctr) Randomness (r)

    s = H(ctr , G(s , x ; r ))

    HashPrev (s ) Transactions (x )

    Nonce (ctr ) Randomness (r ) HashPrev (s )

    Transactions (x )
Reference
  • Accenture. Accenture debuts prototype of ‘editable’ blockchain for enterprise and permissioned systems. https://newsroom.accenture.com/news/accenturedebuts-prototype-of-editable-blockchain-for-enterprise-andpermissioned-systems.htm.
    Findings
  • Marcin Andrychowicz and Stefan Dziembowski. Pow-based distributed cryptography with no trusted setup. In CRYPTO, pages 379–399, 2015.
    Google ScholarLocate open access versionFindings
  • Giuseppe Ateniese and Breno de Medeiros. On the key exposure problem in chameleon hashes. In SCN, pages 165–179, 2004.
    Google ScholarLocate open access versionFindings
  • [ADMM14a] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Fair two-party computations via Bitcoin deposits. In Financial Crypto, pages 105–121, 2014.
    Google ScholarLocate open access versionFindings
  • [ADMM14b] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Modeling Bitcoin contracts by timed automata. In FORMATS, pages 7–22, 2014.
    Google ScholarLocate open access versionFindings
  • [ADMM14c] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Secure multiparty computations on Bitcoin. In IEEE Symposium on Security and Privacy, pages 443–458, 2014.
    Google ScholarLocate open access versionFindings
  • [ADMM15] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. On the malleability of bitcoin transactions. In Financial Crypto, pages 1–18, 2015.
    Google ScholarLocate open access versionFindings
  • [AFMdM14] Giuseppe Ateniese, Antonio Faonio, Bernardo Magri, and Breno de Medeiros. Certified bitcoins. In ACNS, pages 80–96, 2014.
    Google ScholarLocate open access versionFindings
  • Gilad Asharov and Yehuda Lindell. A full proof of the BGW protocol for perfectlysecure multiparty computation. ECCC, 18:36, 2011.
    Google ScholarLocate open access versionFindings
  • Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO, pages 41–55, 2004.
    Google ScholarLocate open access versionFindings
  • Gilles Brassard, David Chaum, and Claude Crepeau. Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci., 37(2):156–189, 1988.
    Google ScholarLocate open access versionFindings
  • Emmanuel Bresson, Dario Catalano, Mario Di Raimondo, Dario Fiore, and Rosario Gennaro. Off-line/on-line signatures revisited: a general unifying paradigm, efficient threshold variants and experimental results. Int. J. Inf. Sec., 12(6):439–465, 2013.
    Google ScholarLocate open access versionFindings
  • Waclaw Banasik, Stefan Dziembowski, and Daniel Malinowski. Efficient zeroknowledge contingent payments in cryptocurrencies without scripts. Cryptology ePrint Archive, Report 2016/451, 2016.
    Google ScholarLocate open access versionFindings
  • Amos Beimel. Secret-sharing schemes: A survey. In IWCC, pages 11–46, 2011.
    Google ScholarLocate open access versionFindings
  • Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge and its applications (extended abstract). In STOC, pages 103–112, 1988.
    Google ScholarLocate open access versionFindings
  • Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In STOC, pages 1–10, 1988.
    Google ScholarLocate open access versionFindings
  • Iddo Bentov and Ranjit Kumaresan. How to use bitcoin to design fair protocols. In CRYPTO, pages 421–439, 2014.
    Google ScholarLocate open access versionFindings
  • Allison Bishop, Valerio Pastro, Rajmohan Rajaraman, and Daniel Wichs. Essentially optimal robust secret sharing with maximal corruptions. IACR Cryptology ePrint Archive, 2015:1032, 2015.
    Google ScholarLocate open access versionFindings
  • Mihir Bellare and Todor Ristov. A characterization of chameleon hash functions and new, efficient designs. J. Cryptology, 27(4):799–823, 2014.
    Google ScholarLocate open access versionFindings
  • Vitalik Buterin. On public and private blockchains. https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains/.
    Findings
  • Coindesk. Bitcoin venture capital. http://www.coindesk.com/bitcoinventure-capital/.
    Findings
  • David Chaum and Torben P. Pedersen. Wallet databases with observers. In Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, pages 89–105, 1992.
    Google ScholarLocate open access versionFindings
  • Benoıt Chevallier-Mames, Pascal Paillier, and David Pointcheval. Encoding-free ElGamal encryption without random oracles. In PKC, pages 91–104, 2006.
    Google ScholarLocate open access versionFindings
  • Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO, pages 13–25, 1998.
    Google ScholarLocate open access versionFindings
  • Xiaofeng Chen, Haibo Tian, Fangguo Zhang, and Yong Ding. Comments and improvements on key-exposure free chameleon hashing based on factoring. In Inscrypt, pages 415–426, 2010.
    Google ScholarLocate open access versionFindings
  • Xiaofeng Chen, Fangguo Zhang, and Kwangjo Kim. Chameleon hashing without key exposure. In ISC, pages 87–98, 2004.
    Google ScholarLocate open access versionFindings
  • Xiaofeng Chen, Fangguo Zhang, Willy Susilo, Haibo Tian, Jin Li, and Kwangjo Kim. Identity-based chameleon hash scheme without key exposure. In ACISP, pages 200–215, 2010.
    Google ScholarLocate open access versionFindings
  • Xiaofeng Chen, Fangguo Zhang, Willy Susilo, Haibo Tian, Jin Li, and Kwangjo Kim. Identity-based chameleon hashing and signatures without key exposure. Inf. Sci., 265:198–210, 2014.
    Google ScholarLocate open access versionFindings
  • Xiaofeng Chen, Fangguo Zhang, Haibo Tian, Baodian Wei, and Kwangjo Kim. Discrete logarithm based chameleon hashing and signatures without key exposure. Computers & Electrical Engineering, 37(4):614–623, 2011.
    Google ScholarLocate open access versionFindings
  • Ivan Damgard. Collision free hash functions and public key signature schemes. In EUROCRYPT, pages 203–216, 1987.
    Google ScholarLocate open access versionFindings
  • http://www.coindesk.com/immutability-extraordinary-goalsblockchain-industry/.
    Findings
  • Ivan Damgard, Matthias Fitzi, Eike Kiltz, Jesper Buus Nielsen, and Tomas Toft. Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. In TCC, pages 285–304, 2006.
    Google ScholarLocate open access versionFindings
  • [DHLW10] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt, and Daniel Wichs. Efficient public-key cryptography in the presence of key leakage. In ASIACRYPT, pages 613–631, 2010.
    Google ScholarLocate open access versionFindings
  • Shimon Even, Oded Goldreich, and Silvio Micali. On-line/off-line digital signatures. J. Cryptology, 9(1):35–67, 1996.
    Google ScholarLocate open access versionFindings
  • Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 31(4):469–472, 1985.
    Google ScholarLocate open access versionFindings
  • Ethereum. Ethereum project. https://www.ethereum.org/.
    Findings
  • Marc Fischlin and Roger Fischlin. The representation problem based on factoring. In CT-RSA, pages 96–113, 2002.
    Google ScholarLocate open access versionFindings
  • Marc Fischlin. Communication-efficient non-interactive proofs of knowledge with online extractors. In CRYPTO, pages 152–168, 2005.
    Google ScholarLocate open access versionFindings
  • [FKMV12] Sebastian Faust, Markulf Kohlweiss, Giorgia Azzurra Marson, and Daniele Venturi. On the non-malleability of the Fiat-Shamir transform. In INDOCRYPT, pages 60–79, 2012.
    Google ScholarLocate open access versionFindings
  • European Union Agency for Network and Information Security. Distributed ledger technology & cybersecurity, 2016.
    Google ScholarFindings
  • Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO, pages 186–194, 1986.
    Google ScholarLocate open access versionFindings
  • Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The Bitcoin backbone protocol: Analysis and applications. In EUROCRYPT, pages 281–310, 2015.
    Google ScholarLocate open access versionFindings
  • Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984.
    Google ScholarLocate open access versionFindings
  • Oded Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press, 2001.
    Google ScholarFindings
  • Louis C. Guillou and Jean-Jacques Quisquater. A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In CRYPTO, pages 216–231, 1988.
    Google ScholarLocate open access versionFindings
  • Jens Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In ASIACRYPT, pages 444–459, 2006.
    Google ScholarLocate open access versionFindings
  • Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In EUROCRYPT, pages 415–432, 2008.
    Google ScholarLocate open access versionFindings
  • Steve Hargreaves and Stacy Cowley. How porn links and ben bernanke snuck into bitcoin’s code. http://money.cnn.com/2013/05/02/technology/security/bitcoin-porn/index.html.
    Findings
  • Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In CRYPTO, pages 553–571, 2007.
    Google ScholarLocate open access versionFindings
  • Curt Hopkins. If you own Bitcoin, you also own links to child porn. http://www.dailydot.com/business/bitcoin-child-porn-transaction-code/.
    Findings
  • Hyper ledger project. https://www.hyperledger.org.
    Findings
  • Blockchain Info. Bitcoin hashrate distribution. https://blockchain.info/pools.
    Findings
  • Ranjit Kumaresan, Tal Moran, and Iddo Bentov. How to use bitcoin to play decentralized poker. In CCS, pages 195–206, 2015.
    Google ScholarLocate open access versionFindings
  • Ahmed E. Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. IACR Cryptology ePrint Archive, 2015:675, 2015.
    Google ScholarLocate open access versionFindings
  • Hugo Krawczyk and Tal Rabin. Chameleon signatures. In NDSS, 2000.
    Google ScholarLocate open access versionFindings
  • Aggelos Kiayias and Qiang Tang. Traitor deterring schemes: Using bitcoin as collateral for digital content. In CCS, pages 231–242, 2015.
    Google ScholarLocate open access versionFindings
  • Alfonso Cevallos Manzano. Reducing the share size in robust secret sharing. Master’s thesis, Mathematisch Instituut Universiteit Leiden, the Netherlands, 2011.
    Google ScholarFindings
  • Hank Moonie. Man’s ”right to be forgotten” case stalls after he is found on the bitcoin blockchain. https://medium.com/@hankmoonie/mans-right-to-beforgotten-case-stalls-after-he-is-found-on-the-bitcoin-blockchain1a32c4fc0963#.ed36n2iwg.
    Findings
  • Satoshi Nakamoto. Bitcoin core. https://github.com/bitcoin/bitcoin, 2009.
    Findings
  • Kaisa Nyberg and Rainer A. Rueppel. Message recovery for signature schemes based on the discrete logarithm problem. In EUROCRYPT, pages 182–193, 1994.
    Google ScholarLocate open access versionFindings
  • Moni Naor and Vanessa Teague. Anti-presistence: history independent data structures. In ACM STOC, pages 492–501, 2001.
    Google ScholarLocate open access versionFindings
  • Tatsuaki Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In CRYPTO, pages 31–53, 1992.
    Google ScholarLocate open access versionFindings
  • OpenSSL project. http://www.openssl.org/.
    Findings
  • H. Ong and Claus-Peter Schnorr. Fast signature generation with a Fiat Shamirlike scheme. In EUROCRYPT, pages 432–440, 1990.
    Google ScholarLocate open access versionFindings
  • Stevens Institute of Technology. Blockchain just got much more powerful. https://www.stevens.edu/news/blockchain-just-got-much-more-powerful.
    Findings
  • Kevin Petrasic and Matthew Bornfreund. Beyond bitcoin: The blockchain revolution in financial services. http://www.whitecase.com/publications/insight/beyond-bitcoin-blockchain-revolution-financial-services.
    Findings
  • Jordan Pearson. The bitcoin blockchain could be used to spread malware, interpol says. http://motherboard.vice.com/read/the-bitcoin-blockchain-couldbe-used-to-spread-malware-interpol-says.
    Findings
  • Rafael Pass and Abhi Shelat. Micropayments for decentralized currencies. In CCS, pages 207–218, 2015.
    Google ScholarLocate open access versionFindings
  • Rafael Pass, Lior Seeman, and abhi shelat. Analysis of the blockchain protocol in asynchronous networks. Cryptology ePrint Archive, Report 2016/454, 2016.
    Google ScholarLocate open access versionFindings
  • Tal Rabin and Michael Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In STOC, pages 73–85, 1989.
    Google ScholarLocate open access versionFindings
  • Phillip Rogaway and Mihir Bellare. Robust computational secret sharing and a unified account of classical secret-sharing goals. In CCS, pages 172–184, 2007.
    Google ScholarLocate open access versionFindings
  • Tim Ruffing, Aniket Kate, and Dominique Schroder. Liar, liar, coins on fire!: Penalizing equivocation by loss of Bitcoins. In CCS, pages 219–230, 2015.
    Google ScholarLocate open access versionFindings
  • European Securities and Markets Authority. The distributed ledger technology applied to security markets. Technical Report ESMA50-1121423017-285, January 2017.
    Google ScholarFindings
  • Claus-Peter Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3):161–174, 1991.
    Google ScholarLocate open access versionFindings
  • Alfredo De Santis, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano, and Amit Sahai. Robust non-interactive zero knowledge. In CRYPTO, pages 566–598, 2001.
    Google ScholarLocate open access versionFindings
  • Mike Scott. Authenticated ID-based key exchange and remote log-in with simple token and PIN number. IACR Cryptology ePrint Archive, 2002:164, 2002.
    Google ScholarLocate open access versionFindings
  • Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979.
    Google ScholarLocate open access versionFindings
  • Hovav Shacham. A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. IACR Cryptology ePrint Archive, 2007:74, 2007.
    Google ScholarLocate open access versionFindings
  • Victor Shoup. Lower bounds for discrete logarithms and related problems. In EUROCRYPT, pages 256–266, 1997.
    Google ScholarLocate open access versionFindings
  • David Siegel. Understanding the dao attack. http://www.coindesk.com/understanding-dao-hack-journalists/, 2016.
    Findings
  • Adi Shamir and Yael Tauman. Improved online/offline signature schemes. In CRYPTO, pages 355–367, 2001.
    Google ScholarLocate open access versionFindings
  • James Smith, Jeni Tennison, Peter Wells, Jamie Fawcett, and Stuart Harrison. Applying blockchain technology in global data infrastructure. Technical Report ODI-TR-2016-001, Open Data Institute, 2016.
    Google ScholarFindings
  • Jeni Tennison. What is the impact of blockchains on privacy? https://theodi.org/blog/impact-of-blockchains-on-privacy.
    Findings
  • U.S Government Accountability Office. Financial regulatory reform: Financial crisis losses and potential impacts of the dodd-frank act. Technical report, U.S Government Accountability Office, 2013.
    Google ScholarFindings
  • Lloyd R. Welch and Elwyn R. Berlekamp. Error correction of algebraic block codes, 1986. US Patent 4,633,470.
    Google ScholarFindings
Your rating :
0

 

Tags
Comments